►
Description
Learn how Red Hat weaves together DevOps and Security to master the force called DevSecOps. This show brings you Red Hat products and our security ecosystem partners to aid in your battle. We help you integrate DevSecOps into your OpenShift lifecycle and create a strategic advantage to win against the dark side (aka security problems). Bring your lightsaber and be prepared to train hard... may the DevSecOps be with you!
A
Good
morning,
good
afternoon,
good
evening,
wherever
you're
hailing
from
welcome
to
another
episode
of
devsecops
is
the
way
today
we're
going
to
be
talking
about
identity
and
access
management,
which
is
everybody's
favorite
thing,
I'm
sure,
but
a
critical
component
in
anyone's
infrastructure,
so
dave
muir,
is
here
with
us
today
and
dave
is
going
to
introduce
our
guest
and
show
topic
and
all
that
fun
stuff.
So
take
it
away.
Dave.
B
Yeah,
thank
you
chris,
and
I
appreciate
everyone
joining
today.
So
I'm
just
gonna
present
a
couple
slides
and
I
promise
these
are
the
only
slides,
you'll
see
in
today's
show.
I
think
we
have
a
really
good
one
for
you.
Today.
We've
got
mark
horstein
who's,
the
co-founder
and
cto
of
tremolo
security,
we'll
we'll
give
mark
some
time
to
introduce
himself
in
a
bit.
I'm
dave
muir,
I'm
at
red
hat
in
the
global
solutions.
Architect,
that's
focused
on
our
partners
on
our
security,
independent
software
vendor
partners,
mostly
around
openshift.
B
According
to
a
framework
we've
developed
around
devseconds-
and
you
could
see
march
was
vulnerability.
April
was
all
about
compliance
and
month
is
identity
and
access
month,
and
so
what
we
do
is
we
bring
several
publications
to
the
general
public
one.
Is
this
open
shift
tv
show?
We
also
have
another
openshift
tv
show
that
we
produce
on
a
monthly
basis.
The
other
one
we
did
this
month
was
actually
yesterday,
so
you
can
go
catch
it
on
youtube.
B
If
you
missed
it,
we
also
produce
about
three
podcasts
and
as
much
other
content
that
we
can
assemble.
We've
done
blogs
and
case
studies
and
white
papers,
and
things
like
that,
hopefully,
in
the
next
couple
weeks,
we're
actually
going
to
be
publishing
a
page
on
red
hat
that
lists
all
this
content
by
month.
So
you
can
quickly
reference
it.
So
we're
excited
about
that,
and
so
just
to
talk
a
little
bit
about
the
framework,
and
you
could
see
what
we've
done
here.
B
We've
actually
worked
with
the
industry
and
folks,
like
our
partners
and
other
industry
and
analysts
to
come
up
with
a
taxonomy
around
devops
and
devsecops
and
what
security
categories
you
know
you
can
name
and
plot
against
a
devops
pipeline,
and
you
can
see
some
of
those
categories
here.
We've
got
nine
different
categories
that
map
in
certain
ways
across
a
devops
pipeline.
Underneath
these
categories
we
actually
have
identified
34
different
security
methods
or
functions
so,
for
example,
under
identity
and
access.
You've
got
things
like
authorization
and
authentication.
We'll
talk
about
that.
B
B
C
C
C
This
is
going
to
fix
all
our
problems
and
then
they
drop
it
in
the
laps
of
the
folks
in
the
field
that
have
to
actually
implement
it,
and
we
found
we
were
spending
all
of
our
time
working
around
the
assumptions
of
what
the
vendor
put
together
said.
Well,
no,
this
isn't
how
this
business
actually
works.
C
The
buzzword
at
the
time
was
virtual
appliance
like
there
were
no
containers
yet
and
we're
like
you
know:
yeah
we're
gonna
have
this
virtual
appliance
that
you
know
you
could
just
drop
in,
and
you
know
nobody
really
needed
to
know
what
a
virtual
appliance
was
because
it
was
marketing
and
yeah,
but
it
made
people
feel
that
that's
what
we
had,
and
so
we
said,
okay,
we're
going
to
take
this
toolkit
approach
instead
of
having
this
one
monolithic
thing,
that
is,
your
identity
management
system.
We're
going
to
give
you
something!
C
That's
going
to
sound
a
lot
like
microservices
for
identity,
we're
going
to
give
you
your
virtual
directory,
your
user
provisioning,
your
sso,
all
these
little
components
we're
going
to
let
you
assemble
them
in
a
way
that
matches
what
you're
doing
so
implementation
time
like
was
turned
on
its
head.
You
know
we
used
to
have
a
rule
that
for
every
dollar
of
software
you
buy
you're
gonna
spend
two
dollars
implemented,
implementing
that
software
professional
services.
We
flipped
it
on
a
tent
and
then
every
two
dollar.
C
Every
dollar
you
spent
on
our
software
you're
spending
like
50
cents
on
implementation
time
and
it
made
for
a
great
implementation,
maybe
a
really
hard
demo,
because,
like
yeah,
we
can
do
all
the
things
and
yeah.
I
mentioned
red
hat
summit
in
2015
because
that's
when
I
was
kind
of
first
introduced
to
openshift
and
I've,
I
always
had
a
soft
spot
in
my
heart
for
infrastructure.
C
C
So
you
know
we
started
looking
into
getting
ourselves
into
a
gear,
and
then
then
we
discovered
kubernetes
and
openshift
v3
and
and
we've
been
in
love
with
the
kubernetes
and
openshift
ever
since
so
we
started
our
kubernetes
in
the
openshift
world,
with
openshift,
v3
and,
and
you
know,
kind
of
understanding
the
differences
between
openshift
and
upstream
kubernetes
and
and
working
with
customers
there.
And
then
you
know
the
last
three
or
four
years
really
has
had
a
focus
on
making
it
easier
to
secure
your
kubernetes
infrastructure.
C
B
A
C
B
B
C
Yeah
so
and
I'll
be
the
first
to
say,
I
am
an
absolute
poser
when
it
comes
to
anything
music.
I
can't
get
past
guitar
hero
on
easy,
so
you
know
I.
I
tried
to
teach
myself
the
guitar
once
and
failed
miserably.
I
was
the
kid
didn't
record
her
in
third
grade
who
had
to
sit
there
and
just
play
with
my
fingers,
because
I
I
couldn't
guess
so
yeah.
So
what
a
tremolo
is
is
it's
the
fluctuation
of
the
sound
wave?
C
So
when
you
hit
the
whammy
bar
on
a
guitar
or
you
hit
the
fluctuate,
I
forget
the
name
of
the
thing
on
like
an
organ
or
something
get
that
that
wave,
that's
called
a
tremolo
yeah,
and
so
what
what
happened
was
I
I'm?
I'm
I'm
terrible
at
marketing
I'll
be
the
first
one
like
naming
things
like?
No,
not
my
forte,
so
one
of
my
co-founders
who
actually
is
quite
good
at
marketing,
you
know
we're
trying
to
sit
there.
You
know.
C
What's
the
name
like
we
thought
up,
this
idea
and
the
very
first
iteration
of
the
product
was
a
and
this
will
sound
really
close
to
the
heart
to
all
of
us
in
the
cloud
native
computer
cloud
native
community,
a
universal
reverse
proxy
that'll
do
authentication
authorization,
integration
and
the
original
idea
was.
It
was
going
to
do
any
kind
of
authentication.
You
wanted
on
the
front
side
and
the
back
side
was
going
to
use
kerberos
and
s
for
you
to
sell
for
any
kerberos
geeks
out.
C
There
never
worked,
but
that
was
the
original
idea
was
to
replace
what
what's
commonly
known
in
the
industry
as
a
web
access
management
solution.
So
if
you're
through
a
siteminder
or
obliques,
which
is
now
oracle
access
manager,
you
know
kind
of
really
old-school
tools
like
that
sun
access
manager
that
those
are
web
access
management
tools-
they
have
agents
they're
painful
they're
expensive.
C
So
we
wanted
to
build
this
reverse
proxy,
where
everything
was
just
built
in,
and
so
my
original
idea
for
the
company
name
was
auto
idea
and
my
co-founder
was
like
well,
you
know
yeah,
it
describes
it,
but
it's
kind
of
clunky
doesn't
really
roll
off
the
tongue.
Isn't
super
memorable,
and
so
it's
like
well,
you
know
he
came
back
to
me
and
said:
okay
tremolo
secure.
He
explains
to
me
what
a
tremolo
is.
He
goes.
C
C
B
Yeah
same
same
yeah,
I
I
also
know
the
the
discouragement
when
you've
got
a
great
idea
and
you
have
a
domain
name
and
then
you
go
and
see
if
it's
open
and
and
it's
not
and
you're
like
wait
a
minute,
it
doesn't
even
work,
but
somebody
has
it.
You
have
to
pay
them
three
grand
yeah,
yeah,
well
cool,
and
you
mentioned
you
did
a
lot
of
stuff
with
red
hat
and
an
open
shift
and
a
lot
of
community
involvement.
Can
you
talk
a
little
bit
more
about
what
you've
done
in
the
community.
C
Oh
yeah,
I
mean
we've,
we've
been
pretty
active
inside
both
the
cates
and
the
the
open
shift
community.
Almost
since
day
one
you
know
shout
out
to
diane
muller,
or
I
mean
the
the
open
shift
commons.
You
know
getting
us
involved
in
that.
You
know
whether
it's
just
answering
questions
on
slack
doing
briefings
stuff
like
that,
and
then
you
know
in
the
kubernetes
world,
where
we
really
got
our
start.
Was
when
one
three
when
oidc
first
debuted,
I
had
to
learn
how
open
id
connect
actually
worked.
C
Well,
that's
an
easy
contribution
right.
Let's,
let's
go
ahead
and
document
documentation's
hard
like
anybody
who
tells
you
that
you
know.
Oh,
let's,
you
know
or
hand
off
documentation
to
a
junior
person
or
somebody
like
you
know
who
downplays
anything
to
do
with
documentation,
no
idea
what
they're
talking
about
like.
I
don't
like
to
keep
them.
C
Sorry,
you
talk
down
documentation,
you
know
no,
like
documentation
is
so
important,
and
so
that
was
really
cool
to
me
to
be
able
to
say,
hey,
let's
write
some
documentation
because
people
actually
get
a
lot
out
of
that,
so
their
first
contribution
and
since
then
I've
actually
made
some
code
contributions,
which
was
fun
added
impersonation
to
the
to
the
the
web
ui.
So
that
would
work
real
well
in
hosted
solutions
recently,
added
impersonation
and
reverse
proxy
open
id
connect
support
to
keali.
C
So
that's
the
dashboard
for
istia.
So
that
was
a
lot
of
fun.
That
was
really
interesting
and
yeah,
and
you
know
if
you're
in
slack-
and
you
ask
anything
about
authentication
or
are
back
chances
are
I'll,
be
you
know
the
first
second
person
to
respond
to
you,
so
we
we've
been
pretty
active
in
the
community
and
then
in
the
red
hat
world.
Yeah
we've
been
working
with
openshift
we're
we're.
We
were
the
fir.
C
We
were
in
the
first
class
of
the
original
certification
process
when
it
switched
over
to
the
newer
certification
process,
we're
in
the
first
class
when
operators
were,
you
know,
going
to
be
the
first
thing.
We
were,
you
know,
we're
sitting
there.
What
was
it
was.
The
last
time
summit
was
in
boston,
2019
yeah.
C
I
was
sitting
there
during
openshift
commons.
You
know
fixing
our
script
we've
we
managed
to.
We
do
everything
the
hard
way,
so
our
operator
is
actually
not
built
on
the
operator
sdk.
We
wrote
it
in
javascript
and
so
we're
finding
all
these
different
edge
cases
with
with
the
certification
script
or
working
with
them
figuring
out.
What's
going
on
so
we
you
know,
we've
always
had
fun
and
red
hat's
just
always
been
amazing
to
us.
So
yeah
we
always
have
a
blast
working
with
y'all
yeah.
C
C
It's
one
of
those
things
that
baffles
people
like
it's
people
find
it
really
really
hard
to
do,
because
it
is
in
fact
really
really
hard
to
do,
and
what
a
lot
of
I'm
seeing
now
is
as
kate's
is
moving
more
and
more
into
the
enterprise
is
a
need
to
look
at
more
deeply
the
authorization
systems
inside
the
cluster,
especially
as
you
start
looking
at
your
developer,
workflow,
because
you
know
your
developer,
workflow
isn't
just
right.
It's
it's
kings!
It's
a
pipeline!
Now,
maybe
that
pipeline.
C
You
know
we're
going
to
talk
about
techcon
so
that
right
runs
inside
your
cluster.
So
that'll
pick
you
back
off
our
back,
but
you
might
be
using
jenkins.
You
might
be
using
circle
ci
or
azure
devops
or
any
of
the
25
million
other
pipeline
systems
out
there
right
they'll
have
their
own
identity
systems,
they
all
have
to
securely
talk
to
your
clusters
and
your
infrastructure.
C
You
know
you,
you
look
at
your
git
system,
like
okay,
we're
going
to
make
git
the
center
of
our
compliance
world
and
our
our
source
of
truth
for
what's
happening
now,
github
and
gitlab,
or
whatever
you're
using
they
all
have
their
own
identity
systems.
They
have
all
their
own
processes,
all
their
own
setups.
C
You
know:
where
do
you
store?
Your
containers
are
using
a
built-in
registry
in
openshift.
Are
you
using
harvard?
Are
you
using
one
of
the
25
other
container
registry
systems
out
there?
They
all
have
their
own
identity
systems,
and
so
you
know
it
where
we
started
was
kind
of
the
same
space
as
a
service.
B
C
C
Everybody
is
narrowly
focused
on
that
one
thing:
I'm
getting
you
a
ride
or
I'm
getting
you
a
pizza,
I'm
getting
you
something
else
right
and
everything
is
so
super
focused
on
that,
whereas
an
enterprise
you
have
a
handful
of
truly
enterprise-wide
app
right.
You've
got
collaboration,
your
email,
your
sharepoint,
you
know
whatever
you're
using
collaboration.
You've
got
hr
systems.
C
You've
got
erp,
you
have
crm
that,
like
those
are
truly
enterprise-wide
systems,
but
then
you
have
like
hundreds,
maybe
even
thousands
of
applications
that
are
very
domain
specific
and
can
have
anywhere
between
a
few
hundred
users
or
a
few
thousand
users,
depending
on
the
size
of
the
organization
and
to
the
people
who
use
it.
That
is
like
the
most
michigan
culture
in
the
world,
but
to
everybody
else,
they're
worried
about
their
thing,
and
so
enterprises
just
have
different
things
that
they
care
about.
They've
got
to
worry
about
things
like
silos.
C
They
have
to
worry
about
things
like
you
know
the
centralized
authentication
that
they
don't
own
right.
You
know,
if
I'm,
if
I'm
working
at
a
service
provider,
you
know
maybe
they're
using
octa
or
something
like
that
that
but
it's
more
tightly
integrated
into
the
system,
whereas
in
an
enterprise
the
people
who
own
active
directory
are
not
the
same
people
who
own
your
cloud
native
infrastructure,
not
the
same
people,
own
applications
right.
So
the
people
in
active
directory
man,
active
directory,
goes
down
you're
having
a
really
bad
day,
like
slack,
goes
down.
C
Yeah
we're
going
to
go
through
a
party
act.
The
directory
goes
down,
the
dinosaurs
start
eating
the
tourists.
So
you
know
the
read-only
account.
That's
easy
right
account,
that's
a
little
bit
harder,
so
you
have
to
deal
with
those
silos
and
then
some
of
the
less
sexy
things
about
kubernetes,
but
things
we
all
need
to
know
like
backups
policy
management.
C
Things
like
that,
and
then
it
all
kind
of
culminates
in
into
the
demo
that
we're
going
to
do
today.
I
wish
it
was
going
to
be
live
and
it
could
break
and
I
can
show
it
breaking.
Unfortunately,
I
managed
to
nuke
my
entire
environment
ahead
of
time,
so
we're
going
to
have
to
go
through
a
video
demo
yeah,
but
you
know
it
all
kind
of
culminates
into
this.
You
know
building
a
platform
right.
How
do
you?
How
do
you
map
your
business
logic
into
an
actual
implementation,
around
git,
ops
and
whatnot?
B
C
That
really
requires
understanding,
not
just
the
technology
involved,
because
you
have
to
be
good
technologists
because
yeah
we're
going
to
throw
up
the
whiteboard
here
in
a
minute-
and
you
know
there's
all
these
intricacies-
that
you
have
to
understand
to
do
from
technology
standpoint,
but
you
also
have
to
be
able
to
go
back
and
say:
okay,
what
are
the
processes
I
need
to
implement
this
for
like?
Why
do
I
have
to
do
it
this
way?
C
So
like
going
back
to
the
book
in
that
last
chapter,
we
don't
even
start
talking
about
tech
until
we're
about
two-thirds
of
the
way
through
and
we're
talking
about.
What's
a
pipeline,
why
do
you
design
a
pipeline
a
certain
way?
How
do
you
design
your
developer?
Workflow,
because
that
that
graphic
that
you
showed
at
the
beginning
of
all
the
different
categories
of
security
and
whatnot?
C
If
you
don't
have
a
way
to
map
that
onto
your
business
process,
you
can't
match
your
compliance
requirements
because
you
don't
know
what
they
are.
You
can't
make
your
users
happy,
because
you
can't
tell
your
users
how
to
work
your
users
or
your
customers
right.
They
have
to
tell
you
how
they
want
to
work.
C
C
I
might,
if
that's
what
the
business
lines
up
with
it's
been.
My
experience
that
I
don't
you
know.
Usually
what
ends
up
happening
is
the
cloud
team
says
you
know
we
got
enough
to
worry
about
just
keeping
everything
up
and
running
here.
Here's
your
sandbox!
Here's,
your
your
field!
Y'all
are
responsible
for
this.
You
know
just
leave
us
adam.
C
We're
gonna
make
it
so
that
it's
as
hard
for
you
as
possible
to
break
things,
and
so
that
becomes
a
really
important
process
of
who's
going
to
own
what
who's
going
to
own
that
responsibility
and
ultimately,
who's
going
to
sign
on
the
dotted
line
so
that,
as
it
goes
up
the
chain
you
know
and
the
cfo
has
to
sign
on
the
dog
line
or
they
go
to
jail.
You
know,
does
everything
map?
Are
the
auditors
going
to
be
happy?
C
B
A
C
C
B
C
Yeah
yeah,
so
I
figured
have
some
fun
with
a
whiteboard
instead
of
slides,
because
we
all
hate,
slides
so
yeah.
Well,
let's
think
about
a
developer,
workflow
right.
How
do
you
want
your
developers
to
work
so
you've
got
a
prod
environment
and
you've
got
an
application
right,
so
yeah
hello
world
right,
because
that's
the
most
complicated
application.
Everybody
does
well.
That
runs
inside
of
a
container
right
and
we'll
say
it's
running
inside
of
openshift.
C
C
C
That's
another
identity,
because
obviously,
if
somebody
gets
a
hold
of
that
pipeline,
you
know
and
when
I
say
get
to
hold,
you
know
it's
not
just
you
know
the
the
you
know
the
hacker
with
the
sunglasses
and
the
hoodie.
You
know
sitting
there
trying
to
ruin
the
world.
It's
the
developer,
who
forgot
to
switch
their
dev
context.
C
I
personally
have
never
done
that,
but
you
know
it
happens.
Right
yeah.
I
haven't
done
that
since
like
this
morning,
so
you
know,
you've
got
your
pipeline,
but
now
that
pipeline
doesn't
just
push
register.
Let's
talk
about
git,
ops
right.
Your
pipeline
is
also
going
to
push
manifests
into
openshift
right.
So
you've
got
your
get.
Ops.
You've
got
your
argo
over
here.
C
C
That's
another
identity,
and
so
far
we've
only
talked
about
things
at
a
system
level.
Right
I
mean
we
haven't
actually
like
gotten
into
users,
humans,
yeah,
so
we're
still
going
because
your
pipeline
in
the
gitops
world
isn't
just
going
to
generate
a
container,
but
it's
also
going
to
make
an
update
to
your
manifests
to
point
to
that
container.
C
C
And
then
your
your
git
repo,
so
you've
got
pipeline.
That's
got
to
be
able
to
talk
back
and
forth
here.
You've
got
a
container
registry.
You've
got
your
actual
open
shift.
You
know
that's
running
the
code,
so
all
these
different
system
level,
identities,
okay,
but
now,
let's
talk
about
the
user
identity
for
a
second.
C
So
you
know
I'm
going
to
draw
some
swim
lanes
here.
I'm
going
to
bust
out
my
my
management
consulting
glove
and
you
know:
you've
got
your
devs.
You've
got
your
ops
and
you've
got
your
owners,
so
your
owner,
that's
your
pointy
head
manager,
right
and
they're,
going
to
say:
okay,
we're
deploying
this
new
application.
C
C
But
I
don't
want
my
devs
to
be
able
to.
I
want
my
devs
to
have
to
work
locally
and
then
commit
into
repos,
so
yeah
a
new
op,
a
new
app
gets
created
and
then,
as
a
dev
or
an
off,
I
say
you
know:
can
I
access
now
that
might
be
a
servicenow
ticket?
If
you
know
you
have
to
go
through
that
process,
somebody.
B
C
C
You
then
need
to
get
provision,
but
what
do
you
actually
get
for
vision?
Two?
Well,
if
you're
talking
about
git
lab,
you
should
be
a
developer
on
the
projects,
but
you
shouldn't
be
able
to
commit
to
the
projects
right,
so
you've
got
to
go
into
gitlab
as
a
dev
and
then
you're
going
to
need
to
be
able
to
access
openshift
like
even
if
you're,
just
using
it
to
access
tecton
to
be
able
to
see.
What's
going
on
so
some
read
access
and
then
you
want
to
get
into
argo.
I
mean
argo
is
a
great
interface.
C
Right,
these
all
have
their
own
identity
system.
There's
no
rhyme
or
reason
like
gitlab
will
have
something
similar
to
github.
It's
yeah,
it
ain't
the
same
language,
but
at
least
it's
like
you
know,
somebody
who's
done.
Git
lab
will
look
at
the
way.
Github's
permissions
are
set
up.
Okay,
that
makes
sense,
and
vice
versa.
But
it's
not
the
same
thing:
it's
not
the
same
api,
it's
not
the
same
standard.
C
So
when
you
create
your
projects,
you
know
your
your
application.
You
have
to
connect
all
these
things
from
a
user
perspective
so
that,
as
a
user,
all
these
things
are
seamlessly
integrated.
So
you
know
we
talk
a
lot
about
sso
and
authentication
getting
in
on
the
front
side,
but
that's
the
easy
part
once
you're
in
what
do
you
have
access
to?
C
C
And
then
I
want
to
push
that
into
you,
know,
get
and
that's
when
we
get
to
this
stuff
and
all
the
magic
happens
right.
So
all
this
stuff
is
happening
behind
the
scenes
and
when
you
want
to
provision
this
stuff,
you
know
think
about
and
get
get
work
get
flow.
You
don't
want
to
commit
anything
to
that
main
project.
You
want
to
have
forks,
so
you
have
prod
for
it
dev
fork.
C
C
C
Do
you
have
the
ability
to
do
that?
Are
you
going
to
store
it
in
octa?
You
know:
where
are
you
going
to
store
that
information
who's
going
to
own
it?
How
do
you
keep
it
up
to
date?
Do
you
have
compliance
issues
like
you
know?
Should
somebody
have
to
recertify
this
access
every
you
know
year,
60
days,
nine
days
whatever
it
is
so
like
I,
actually,
I
don't
think
it's
published
anymore,
but
a
few
years
ago,
red
hat
published
this
nist
853
guide
to
openshift.
C
So
for
for
those
who
aren't
aware,
nist
853
is
the
the
uber
set
of
security
controls
that
the
government
uses.
That's
like
the
baseline
and
red
hat,
published
a
guide
and
said
this
is
how
you
run
these
controls
with
openshift
and
how
you
know
a
big
giant,
spreadsheet
and
there's
you
know
20
or
30
controls
specific
to
identity
management
and
they
all
said
not
my
problem.
That's
somebody
else's
problem
right
because
it's
a
really
hard
problem
to
solve.
You
can't
just
say
this
is
how
I
do
even
though
openshift
has
its
own.
C
You
know
openshift,
unlike
upstream
kubernetes,
has
its
own
built-in
identity
system,
its
own
way
of
storing
users
and
groups,
there's
still
a
lot
of
work
that
goes
into
making
that
happen
from
a
control
standpoint.
So
you
know
when
you
look
at
this
and
say:
okay.
Well,
I
can
get
sso
into
argo.
I
can
get
sso
into
openshift.
I
can
get
sso
into
github.
C
That's
the
easy
part
building
out
all
these
relationships.
That's
the
hard
part
like
that,
like
comparatively
speaking
not
say,
sso
is
easy,
but
when
you
look
at
the
the
I
you
know
the
iceberg
picture.
Sso
is
this
little
tiny
part
up
here?
The
authorization
framework
is
the
bottom
part
down
there
and
that's
really
where
the
rubber
hits
the
road.
And,
what's
great,
is
it's
big?
It's
daunting,
but
when
you
do
it
right,
oh
man,
your
developers
love
it.
C
I've
got
one
customer
that
that
they're
they're
relatively
small
hedge
fund,
as
these
things
go
in
the
uk
and
we
built
out
a
system
for
them
that
you
know
user
goes
in
and
they
say
I
want
to
create
a
new
project
and
it
was
all
aws
infrastructure.
So
it
was,
you
know
we
would
build
out
their
code,
build
their
code,
commit
check
in
their
initial
stuff.
C
C
B
B
I
don't
call
this
thing
a
smartphone
because
it
takes
me,
five
tries
for
me
to
just
unlock
it,
sometimes
like
so
when
everything
works
and-
and
I
only
have
to
by
the
way
single
sign-in
once
and
not
four
times
a
day
to
the
same
browser
and
it's,
but
it's
very
it's
nice
right.
It's
it's!
Not
it's
frustrating
when,
when
that
doesn't
work,.
C
C
C
I
want
to
create
a
new
application,
so
I'm
going
to
go
in
and
say:
okay
create
a
new
app
for
me
and
because
this
was
a
live
demo
and
I
didn't
want
things
to
break-
I
I
pre-did
as
much
as
I
could
so
I'm
going
to
say:
okay
go
ahead,
please
create
a
new
namespace,
create
a
new
project
for
me,
so
the
request
goes
in
and
then
the
next
thing
I'm
going
to
do
is
I'm
going
to
log
in
as
a
ops
person.
Somebody
is
going
to
approve
the
creation
of
this
project.
C
Now
this
is
kind
of
opinionated.
The
way
we
thought
people
would
want
to
do
it,
but
going
back
to
that
business
discussion,
people
are
going
to
do
it
the
way
that
they
need
to
do
it.
So
I've
had
customers
who
have
started
with
this
and
said
you
know
we
don't
we
don't
want
an
approval,
we're
going
to
use
our
own
portal
to
do
that
process.
We
just
want
to
call
your
api
right.
You
want
to
be
flexible
enough
to
be
able
to
handle
all
those
different
scenarios.
C
So
what
I'm
doing
right
now
is
I'm
logging
in
as
that
ops,
admin
and
you
can
see
I've
got
that
open
approval,
so
I'm
going
to
review
it
and
I'm
going
to
approve
it.
Now,
keep
your
eye
on.
What's
going
on
up
here,
because
you're
going
to
see
just
the
scrolling
of
objects
being
created
across
multiple
different
systems,
it
takes
a
second
or
two
or
ten.
So
there
we
go
so
it's
starting
to
churn.
C
So
not
only
is
it
automating
that
process
it's
creating
groups
inside
of
a
database
that
I
have
access
to
and
I
manage
so
I
can
externalize
my
authentication
while
still
managing
the
authorization
managing
the
business
process
around
that,
and
it's
also
creating
an
audit
of
everything.
So
we're
going
to
see
here
in
a
second
once
I
catch
up
that
I'm
going
to
actually
log
in
and
take
a
look
at
the
report.
C
So
I'm
going
to
log
out
log
back
in
here
because
I'm
realizing-
I
don't
know
oh
yeah,
so
quick,
and
so
I'm
going
to
go
to
a
report
here
and
that
report
is
just
driven
off
of
a
database
schema
like
we
don't
we
don't
make
you
use
some
special
fancy
reporting
tool.
We
include
some
simple
reports
just
to
make
life
easier,
but
it's
all
you
know
it's
all
open
source
right.
So
you
go
to
the
audit
report
and
you
can
see
that
in
this
one
single
user
change
log.
C
This
is
the
one
the
security
folks
really
want
where
we
track
every
single
object
that
gets
created
associated
with
this
person.
So
it
might
be
a
permission
that
we
grant
the
person.
It
might
be
an
object
tied
to
a
workflow
that
that
person
executed
and
then
we're
tracking
all
those
different
objects
being
created
and
another
report
will
show
which
workflow
it's
associated,
who
approved
it
right
and
it's
all
just
sql,
so
you
can
slice
it
and
dice
it.
C
C
C
So
now,
I'm
logging
into
gitlab
and
I'm
logging
in
as
my
app
owner,
slash
developer,
make
the
the
demo
a
little
easier.
I
cut
down
on
the
amount
of
identities.
So
you
see,
I
got
four
projects
here.
I've
got
a
build
project.
That's
where
my
techton
pipelines
go.
I
got
an
operations
project.
I
got
two
operations
project.
I
have
one
for
dev
and
one
for
prod.
That's
where
my
ammo
goes.
I
have
my
actual
application
source
code.
C
Now
I
go
to
argo
and
I
can
see
that
I
have
projects
and
applications
in
argo
that
line
up
to
my
projects
in
gitlab
so
because
I've
got
identity
tying
these
things
together.
I
only
see
an
argo.
What
I
can
only
see
in
gitlab
that
I
can
only
see
an
open
shift
and
now
I'm
securely
able
to
use
these
systems
as
one,
even
though
they're
completely
different
applications
like
completely
different
people.
I
don't
have
multiple
credentials.
I
don't
have
multiple
requests.
C
Everything
is
synchronized,
so
the
first
thing
I'm
going
to
do
is
try
to
remember
what
the
first
thing
I'm
going
to
do.
So
I'm
checking
out
right
now
the
build
process.
So
we
also
stubbed
out
our
tecton
pipelines
and
event
listeners.
So
there's
an
event
listener
there.
It's
set
up.
It's
integrated
into
git
lab,
there's
a
token
in
there
to
protect
it,
to
make
sure
that
anybody
who
knows
the
url
can't
just
call
it
and
that's
been
provisioned
into
the
project
inside
of
gitlab.
C
C
Maybe
not
the
the
the
really
cool
thing
here
is
that
there
are
two
operations
project.
The
dev
operations
project
is
a
fork
of
the
production
operations
project
so
when
it
comes
time
to
actually
deploy
to
production,
I'm
running
a
merge
request,
so
I
just
actually
fork
the
application
code
project,
so
I
can
actually
just
check
in
the
application
code.
That's
the
least
amazing
part
of
all
this.
C
This
demo
was
originally
actually
to
show
off
how
techton
works,
so
it
there's
a
little
more
downtime
than
I
would
have
liked.
So
I've
pushed
the
code,
hello
world.
You
know
not
really
super
amazing,
there's
the
code
right.
So
the
next
question
is:
how
do
we
get
that
code
into
a
container
and
into
production?
So
next
I'm
actually
going
to
go
to
my
operation.
So
this
is
where
I'm
going
to
store
my
ammo.
This
is
where
my
deployment
file
is
going
to
go.
C
So
I'm
going
to
go
ahead
now
in
in
the
real
world.
What
you
would
want
is
as
a
developer.
I
would
fork
this
repository
into
my
own
space.
Do
my
work,
deploy
it
into
my
little
dev
environment.
My
little
slice
of
the
world
make
sure
I'm
happy
with
it
and
then
do
a
merge
request,
but
to
make
this
demo
a
little
simpler,
we
went
ahead
and
just
did
it
as
the
app
owner.
B
B
C
Yeah,
so
you
can
see,
argo
just
picked
it
up
and
we
have
a
broken
deployment
because
we're
not
pointing
to
any
specific
tag.
So
you
know
how
do
we
do
this
right?
We
want
our
deployment
to
point
to
a
specific
tag,
so
the
next
thing
we
need
to
do
is
we've
deployed
our
code.
We've
deployed
our
yaml.
Now
we
need
a
container
right,
so
I'm
going
to
go
into
build,
clone
it
and
again
just
like
before.
C
This
part
of
building,
so
we
did
this-
this
was
all
based
out
of
the
the
last
chapter
of
the
book.
I'd
say
this
was
some
of
the
most
fun
I
had
had
was
figuring
out
how
techton
worked
and
and
just
trying
to
work
through
the
different
abstractions,
and
you
know
kind
of
how
they
approach
things,
because
it's
so
different
from
you
know
your
typical
kind
of
shell
script
based
pipeline
system.
C
So
I'm
updating
here
you
know
some
parameters,
making
sure
that's
pointing
to
the
right
git
repo.
If
I'd
done
this
really
correctly,
you
might
say
well,
you
shouldn't
have
to
do
that
at
all.
It
should
be
generic
and
you'd
probably
be
right,
so
we
pushed
it
in
and
now
follow
the
bouncing
ball.
You'll
get
argo
here
in
the
bottom
right
hand,
corner
and
you're
going
to
find
that
it's
going
to
crop
pop
up
here
with
all
of
our
additional
pipeline
objects.
C
We
don't
have
to
manually
execute
a
pipeline
like
we
don't
have
to
create
a
pipeline
object.
We
can
now
go
over
to
git
and
let's
do
a
merge
request,
so
I'm
going
to
go
in
and
I'm
going
to,
this
is
kind
of
showing
you
there's
nothing
up
my
sleeve
because
there
are
no
pipeline
builds
and
I'm
going
to
go
in
and
do
a
merge
request
for
github
world
we'd
be
doing
a
pull
request
right.
C
C
So
this
is
the
community
edition.
So
approvals
are
optional.
Excuse
me,
if
I
merged
it,
and
now
you
can
see
immediately
stuff
starting
to
happen
in
the
argos
screen,
because
the
web
hooks
were
all
automatically
integrated.
So
we
now
have
a
pipeline
that's
running,
so
our
pipeline
is
really
straightforward.
It
generates
a
tag
based
on
a
time
stamp.
It
creates
a
build
pushes
that
build
into
my
registry
and
then
updates
my
dev
operations,
repo
with
updates
my
dev
operations,
repo
with
attack.
C
C
C
C
So
I
merge
it
and
then
argo
does
its
beautiful
thing
where
it
goes
ahead,
pulls
it
in
deploys
everything
and
yeah,
and
so
that's
everything
and
that
that's
the
whole
demo.
So
you
know
you're
seeing
that
that
beginning
to
end
without
actually
having
to
to
to
do
any
of
that
manually
and
at
no
part
did
the
ops
folks
ever
have
to
get
involved.
B
A
B
C
Whereas
when
you
get
into
enterprises,
it's
all
silent,
it's
organizationally
silent
right,
because
you
know
you
can't
manage
what
more
than
three
people
four
people.
What's
the
rule
of
thumb,
so
you
have
to
have
silos
you
like
as
much
as
we
say.
No,
let's
go
horizontal
everything's
the
same.
No,
you
have
to
have
silence.
Everybody
has
different
ways
to
manage
things.
C
I
guess
some
shameless
self-promotion
follow
me
on
twitter
at
mlb
I
am
and
the
the
recording
from
the
kubecon
session
that
one
was
a
lot
of
fun.
Actually,
we
did
a
demo
of
open
unison
and
fairwinds
our
back
manager
to
be
able
to
do
team-based
authorization.
So,
instead
of
that
one
project
being
everything
we
did
so
that
you
could
have
multiple
name
spaces
all
managed
by
a
team
without
actually
having
to
have
an
ops
person
creating
namespaces
for
you.
C
You
know
there
are
some
other
projects
that
are
getting
really
interesting,
hierarchical
name.
Space
is
one
that
I'm
really
interested
in.
Seeing
that's
gonna
go
a
long
way
towards
making
multi-tenancy
a
lot
easier
to
manage
and
the
the
loft
virtual
clusters.
I
just
saw
that's
another
project
that
I'm
gonna
be
keeping
an
eye
on
that.
One
looks
really
interesting
but
yeah.
This
is.
This
is
an
interesting
space.